OpenID security questions
Dick Hardt
dick at sxip.com
Thu Sep 14 06:50:03 UTC 2006
Would be interesting if OpenID deployment helped drive DNSSEC
deployment. :-)
On 12-Sep-06, at 9:23 AM, Alaric Dailey wrote:
>
> SSL doesn't protect against DNS Poisoning/spoofing/pharming or
> whatever you want to call it. SSL protects against spoofing only
> if people turn on revokation checking AND no-one uses self-signed
> certs(self-signed certs are counterproductive when trying to create
> trust), otherwise it would only protect against data being
> eavesdropped on. DNSSEC is the way to protect against DNS spoofing.
>
> From: general-bounces at openid.net [mailto:general-
> bounces at openid.net] On Behalf Of Granqvist, Hans
> Sent: Tuesday, September 12, 2006 11:08 AM
> To: Burt Harris
> Cc: general at openid.net
> Subject: RE: OpenID security questions
>
> Burt,
>
> I just posted a proposal to specs at openid.net
>
> Thanks,
> Hans
>
>
> From: general-bounces at openid.net [mailto:general-
> bounces at openid.net] On Behalf Of Burt Harris
> Sent: Monday, September 11, 2006 4:05 PM
> To: general at openid.net
> Subject: OpenID security questions
>
> I’ve spent the weekend reading up on OpenID. Very cool, I’m
> interetested. I’ve got a couple of questions regarding security
> of the approach:
>
> Has a systematic analysis of threats to OpenID been made and
> published?
>
> Does OpenID require that SSL be used by the consumer site when
> fetching the identifier URL? If not, wouldn’t that leave the
> entire sequence of operations vulnerable to DNS spoofing, etc?
>
> Burt Harris
> Microsoft Live Meeting
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list